-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
5.0u11
-
x86
-
windows_xp
When a customer's application established an encrypted session in StartTLS connecting
to a LDAP server and issues getAttributes() method with URL name of LDAP server,
a new session(not encrypted) is established.
Then the client and server start to communicate in plain text.
The application specifies the URL of LDAP server to get attributes()
in order to get LDAP server inf. (product name, support protocols(LDAPv2/v3)) as follows.
==== TEST PROGRAM ======
package tls;
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.SSLSession;
public class Tls_connection {
public static void main(String[] args) {
new Tls_connection().exe();
}
private void exe(){
try{
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
// Must use the name of the server that is found in its certificate
env.put(Context.PROVIDER_URL, "ldap://abc-vm01.2A9G01.VM.COM:389/");
// NOTE : This line should be modified for your LDAP server
// Create initial context
LdapContext ctx = new InitialLdapContext(env, null);
// Start TLS
StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
SSLSession ssl = tls.negotiate();
// ... do something useful with ctx that requires secure connection
/*
* Execute Bind Authentification
* Add environment variables for the authentification and re-connect
*/
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "CN=tls_user,CN=Users,DC=2A9G01,DC=VM,DC=COM");
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, "Password!");
ctx.reconnect(null);
/* Search Users */
SearchControls scon = new SearchControls();
scon.setSearchScope(SearchControls.SUBTREE_SCOPE);
String filterStr = "(" + "sAMAccountName" + "=" + "CN=tls_user" + ")";
ctx.search("DC=2A9G01,DC=VM,DC=COM", filterStr , scon);
/* Get server information */
System.out.println(ctx.getAttributes("ldap://abc-vm01.2A9G01.VM.COM:389/",null)); //-----(A)
/* Get user information */
// System.out.println(ctx.getAttributes("CN=tls_user,CN=Users,DC=2A9G01,DC=VM,DC=COM",null)); //-----(B)
// Stop TLS
tls.close();
// Close the context when we're done
ctx.close();
System.out.println("Succeeded");
}catch (Exception e) {
e.printStackTrace();
// TODO: handle exception
}
}
}
========================
PROBLEMs :
1) At line (A), Once established session is terminated and another non-encrypted session begins.
(This seems security problem...)
2) At the line (A), when "ldap" is replaced by "ldaps", the newly created session is encrypted.
However, 1st established session is still terminated.
REQUIREMENT:
Once established session by startTLS should keep running after the line (A) is executed
without creation of new session.
NOTE :
When the line (A) is replaced by (B)(to get user inf.),
1st established session by startTLS is running, which is, the line (B) satisfied to the above
REQUIREMENT.
to a LDAP server and issues getAttributes() method with URL name of LDAP server,
a new session(not encrypted) is established.
Then the client and server start to communicate in plain text.
The application specifies the URL of LDAP server to get attributes()
in order to get LDAP server inf. (product name, support protocols(LDAPv2/v3)) as follows.
==== TEST PROGRAM ======
package tls;
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.SSLSession;
public class Tls_connection {
public static void main(String[] args) {
new Tls_connection().exe();
}
private void exe(){
try{
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
// Must use the name of the server that is found in its certificate
env.put(Context.PROVIDER_URL, "ldap://abc-vm01.2A9G01.VM.COM:389/");
// NOTE : This line should be modified for your LDAP server
// Create initial context
LdapContext ctx = new InitialLdapContext(env, null);
// Start TLS
StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
SSLSession ssl = tls.negotiate();
// ... do something useful with ctx that requires secure connection
/*
* Execute Bind Authentification
* Add environment variables for the authentification and re-connect
*/
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "CN=tls_user,CN=Users,DC=2A9G01,DC=VM,DC=COM");
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, "Password!");
ctx.reconnect(null);
/* Search Users */
SearchControls scon = new SearchControls();
scon.setSearchScope(SearchControls.SUBTREE_SCOPE);
String filterStr = "(" + "sAMAccountName" + "=" + "CN=tls_user" + ")";
ctx.search("DC=2A9G01,DC=VM,DC=COM", filterStr , scon);
/* Get server information */
System.out.println(ctx.getAttributes("ldap://abc-vm01.2A9G01.VM.COM:389/",null)); //-----(A)
/* Get user information */
// System.out.println(ctx.getAttributes("CN=tls_user,CN=Users,DC=2A9G01,DC=VM,DC=COM",null)); //-----(B)
// Stop TLS
tls.close();
// Close the context when we're done
ctx.close();
System.out.println("Succeeded");
}catch (Exception e) {
e.printStackTrace();
// TODO: handle exception
}
}
}
========================
PROBLEMs :
1) At line (A), Once established session is terminated and another non-encrypted session begins.
(This seems security problem...)
2) At the line (A), when "ldap" is replaced by "ldaps", the newly created session is encrypted.
However, 1st established session is still terminated.
REQUIREMENT:
Once established session by startTLS should keep running after the line (A) is executed
without creation of new session.
NOTE :
When the line (A) is replaced by (B)(to get user inf.),
1st established session by startTLS is running, which is, the line (B) satisfied to the above
REQUIREMENT.